Standard one-user applications (programs) can be introduced into computer-supported conferences by what is referred to as "sharing" of computer-controlled programs. The persons participating in a conference, who can be at different locations, can thereby work in common with the standard one-user application. All participants can view the outputs of the respective application used in common. Exactly one of the participating persons can make inputs to the application at any point in time.
This technical design for application distribution is the basis for information-oriented systems for supporting synchronous collaboration of geographically distributed persons.
There have previously been two different roles for the user in the technical conversion of the "sharing" of applications. It is thus a matter, first, of what is referred to as the "token holder", this indicating that person who has the right at the respective point in time to make inputs for the application, and, second, what is referred to as the "observer", this indicating the other persons participating in the conference who can in fact observe the output of the application but have no right at the respective point in time to make an input for the application.
The role of the "token holder" is time-dependent. It can change between the participants during a conference; however, there is always exactly one "token holder" at every point in time. This means that it is always exactly one person at any point in time who has the right to make inputs for the application. On the basis of this technical solution, each "token holder" works under the privileges and with the access rights of the owner of the application, i.e. with the rights of that user who started the application. The "token holder" can thus implement exactly those operations with the application to which the owner of the application is authorized. The "token holder" can thus no longer be distinguished from the actual owner of the application. The application cannot tell that various persons are working with it, nor can it tell who is working with at a specific point in time. In a certain sense, the respective "token holder" becomes a personification of the application owner due to the existing technical constructs of the "sharing systems".
This procedure harbors great security risks since the "token holder" thereby has access, for example, to the entire datafile system of the owner of the application when the application is, for example, a text processing program with corresponding functionality. In this case, the "token holder" could illegitimately erase, modify, read or copy datafiles without the owner of the application necessarily needing to know about it.
Window systems are currently subdivided into two known categories dependent on the operations and operating mode that these window systems employ.
First, there are what are referred to as client-server window systems with an open network interface (R. Scheifler et al., The X-Window-System, ACM Transactions on Graphics, Vol. 5, No. 2, pp. 79-109, April 1986); second, there are those without an open network interface. The latter are also known as monolithic graphics-based window systems GDWS (Microsoft Windows 3.1 Programmer's Reference, Volume 1: Overview, Microsoft Press, Redmond, ISBN 1-55615-453-4, 1992: R. Orfali et al., Client/Server Programming with OS/2, Van Nostrand Reinhold, New York, ISBN 0-442-01833-9, 1993; Inside Macintosh, Volume VI, Addison Wesley, ISBN 0-201-57755-0,1991).
Further, expansions are also known that make the windows systems in a "sharing"-capable window system: (H. Abdel-Wahab et al., Issues, Problems and Solutions in Sharing X Clients on Multiple Displays, Internetworking: Research and Experience, Vol. 5, pp. 1-15, 1994;
D. Garfinkel et al., HP Shared X: A Tool for Real-Time Collaboration, Hewlett-Packard Journal, pp. 23-26, April 1994; PA0 W. Minenko, Transparentes Application-Sharing unter X Window, Multimediale Telekooperation, Deutsches Forschungszentrum fur Kunstliche Intelligenz (DFKI) GmbH, Saarbrucken, pp. 1-8, 1994; PA0 J. Baldeschwieler et al., A Survey on X Protocol Multiplexors, ACM SIGCOMM, Computer Communication Review, Swiss Federal Institute of Technology, Computer Engineering and Networks Laboratory (TIK), ETH-Zentrum, Zurich, pp. 16-24, 1993, PA0 U. Pech, Sichtlich beeindruckt, PC Professionell, pp. 71-88, October 1995; PA0 E. Chang et al., Group Coordination in Participant Systems, IEEE, Proceedings of the 24.sup.th Annual Hawaii International Conference on System Sciences, Vol. 3, No. 4, Kauai, Hi., pp. 589-599, January 1991; PA0 A. Nakajima, A Telepointing Tool for Distributed Meeting Systems, IEEE Global Telecommunications Conference and Exhibition, Vol. 1, No. 3, San Diego, Calif., pp. 76-80, December 1990; PA0 J. Patterson, The Implications of Window Sharing for a Virtual Terminal Protocol, IEEE International Conference on Communications, Vol. 1, No. 4, Atlanta, Ga., pp. 66-70, April 1990; PA0 G. Herter, Intel ProShare, Accounting Technology, Vol. 11, No. 1, pp. 49-54, January 1995; PA0 D. Riexinger et al., Integration of Existing Applications into a Conference System, Proceedings of International Conference on Multimedia Transport and Teleservices, Vienna, pp. 346-355, November 1994).
Further, a security expansion is known for one-user applications usable in common by a plurality of users (G. Gahse, "Zugriffskontrolle in Konferenzsystemen", IBM Deutschland Informationssysteme GmbH, Europaisches Zentrum fur Netzwerkforschung, Heidelberg, 1995).
The previously known method for expanding the security of one-user applications in conference systems describes an access control method, whereby a one-user application is to be used in common by a plurality of users sequences under specific "sharing privileges". In this method, a common, new, temporary identity is allocated to the users for the time span of the collaboration. This common temporary identity has access rights ("sharing"privileges) allocated to it, as a result whereof the original rights can be set aside. For example, none of the conference participants can thus illegitimately access data of the local system during use of the application.
A critical disadvantage that can be seen in the known method is that the proposed access control mechanism does not take the various users into consideration in the allocation of requested resources, and, thus, no distinction is possible between the "token holder" and the owner of the application.
A principal cause for security risks that still continue to exist given this method lies therein that a number of persons, for example the system administrator or other users as well that are recited in a specific "authorization datafile", can still set the rights of the other users for an application given this method. As a result of this procedure, users other than the actual owner of the application can still "decide", for example, over the datafile system of the owner of the application. This precondition of the trustworthiness of the users who allocate the rights for applications represents a considerable security risk.